New research shows a severe flaw in the WPA2 protocol leaves Wi-Fi traffic — passwords, chats, emails, and photos — vulnerable to attackers.
Researchers have discovered a key flaw in the WPA2 Wi-Fi encryption protocol that allows hackers to intercept credit card numbers, passwords, photos and other sensitive information.
The new exploit is called KRACK, short for Key Reinstallation Attacks. The research has been kept under wraps for weeks ahead of a coordinated disclosure.
The vulnerability affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys. (1)
Timothy Crosby, Senior Security Consultant for Spohn Security Solutions, says that because the flaw is in the Wi-Fi standard and not specific to any particular products, nearly every router, smartphone and PC out there IS impacted – especially attacks against Linux and Android 6.0 or greater devices.
“WPA2 was released in 2004 – it has taken 13 years for someone to find and release the flaw. My concern is, has it been in use all this time without our knowledge? For me, that ratchets up the urgency a bit,” stated Crosby.
So just how widespread is the issue? Per Crosby, many Point of Sales (POS) systems use Wi-Fi to process credit cards – so using debit/credit cards at restaurants, clothing stores, etc. are risky until the flaw is fixed.
“I will be careful where I use my Debit/credit cards for a while,” stated Crosby.
Crosby’s solution to safeguard a network:
On systems required to push secure data over Wi-Fi, put in a VPN layer to provide end to end encryption.
On systems with Pre-Shared Keys (PSK) make sure the PSK/Password is changed after patches are applied.
Timothy Crosby speaks to the following:
- What costs are factored into security breaches like this for businesses?
- How much money are they losing when you consider the time needed to come back from a cyber-attack and the lost productivity associated with it?
- How are those losses affecting the economy and the bottom line?
- With compliance and regulations toughening in some industries and malware becoming more sophisticated, how does a company keep on top of security protocols?
- What are some of the common errors businesses make that lead to security breaches?
- Why is there so little knowledge about security risks and why is it so pervasive?
- Once potential vulnerabilities are identified, then what should be done?
- What are the best practices for identifying what data must be protected?
Spohn Consulting works with organizations to assess the security status of their networks, information, and systems based on Identification and Authorization resources, e.g., people, hardware, software, policies, and capabilities in place to manage the defense of the enterprise and to react as the situation changes.
Dan Goodin – Oct 16, 2017 4:37 am UTC, et al. “Serious Flaw in WPA2 Protocol Lets Attackers Intercept Passwords and Much More.” Ars Technica, 16 Oct. 2017, arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/